‘NotPetya’ ransomware attack shows corporate social responsibility should include cybersecurity

Author

Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana University

Disclosure statement

Scott Shackelford does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond the academic appointment above.

The overall idea is that companies should make corporate decisions that reflect obligations not just to owners and shareholders, customers and employees, but to society at large and the natural environment. As a scholar of cybersecurity law and policy and chair of Indiana University’s new integrated program on cybersecurity risk management, I say it’s time to add cyberspace to that list.

Cybersecurity is an effort that not only protects – and even benefits – a company’s bottom line but also contributes to overall corporate and societal sustainability. In addition, by protecting privacy, free expression and the exchange of information, cybersecurity helps support people’s human rights, both online and offline.

In terms of deterring hackers, the number of vulnerable targets will drop, making it harder for hackers to find them, and less worthwhile to even look. And more companies will have defenses ready when cyber attackers come calling. This isn’t a perfect solution: With enough time and resources, any system is vulnerable. But this change in corporate perception is an important step in developing a global culture of cybersecurity.

Customers can get involved in this effort, demanding better cybersecurity from companies they do business with. These can include online retailers, whether small specialized sellers or giants like Amazon. But local bricks-and-mortar stores with customer loyalty programs that have built their brands on trust can also be susceptible to consumer pressure.

To date, it’s been hard to know which companies have the best cybersecurity practices. The product and service reviewers at Consumer Reports have made a start: In March they started evaluating devices, software and mobile apps for privacy and cybersecurity.

Advocacy groups like the Internet Societyandmanyothers should ask companies to discuss cybersecurity efforts in their reports to shareholders. And they should urge government agencies to develop voluntary programs like the U.S. Environmental Protection Agency’s Energy Star appliance-efficiency rating system. The U.K. has a certification like this for cybersecurity, called Cyber Essentials. These efforts don’t require executives or managers to make different decisions, but help inform them – and the public – about how the choices they make affect consumers.

Ultimately, companies will play a huge role in shaping the future of our shared experience online. Cybersecurity and data privacy are key elements of this, and it’s time consumers demand corporations treat them as the 21st-century social responsibilities they are.